ipa-server-certinstall command failed with the error "ScriptError: Peer's certificate issuer is not trusted (SEC_ERROR_UNKNOWN_ISSUER)"

Solution Verified - Updated -

Issue

Customer has a IPA server without the CA component installed.They are using CA certificate signed by an external certificate.
Currently customer is in the process of updating the new server certificate using "ipa-server-certinstall" commands however process is failing with the following error :

/usr/sbin/ipa-server-certinstall -v -d  /root/ipa_cert_update/server.crt /root/server_private.key  -p password --pin=pin

ScriptError: Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
ipa.ipaserver.install.ipa_server_certinstall.ServerCertInstall: ERROR: Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.

Customer indicated one of the Intermediate CA certificates were renewed recently.

Environment

  • Red Hat Enterprise Linux 7.5
  • IPA server without the IPA CA component

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content